- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 23 Jul 2007 03:37:31 -0700
- To: Web APIs WG <public-webapi@w3.org>, Ian Hickson <ian@hixie.ch>
Hi All, I'm currently working on implementing cross-site XMLHttpRequest as detailed in this draft: http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012 However I'm a little bit worried about two things regarding non-GET requests. First of all I don't like that POST requests can be made unchecked to any url. I do realize that this seems possible already using plain/text encoded forms, but this is possibly something that browsers will need to change. Second, I'm a little bit worried about the algorithm used to for non-GET (non-POST in the current draft) in connection with redirects. From my understanding the following is a valid scenario: 1. Web page on server A makes a DELETE request to server B 2. XHR implementation sends a GET request to server B 3. Server B redirects to server C 4. Server C sends reply that approves the request using appropriate headers and an "Allow: DELETE" header 5. XHR implementation sends DELETE request to server B 6. Server B deletes file on requested uri. What worries me is that in step 5 the DELETE request is sent to server B even though server B has never explicitly allowed that. Granted, since the redirect chain for the DELETE request is not the same for the initial GET request as for the DELETE request, the returned result will not be accessible to the web page, but that hardly matters as the damage is already done. The only thing server B has done is to redirect to server C. This could be done without any knowledge of XHR or the cross-site spec. I propose we instead specify that the DELETE request should be done to the final uri of the redirects in the GET request. And if the DELETE request produces any redirects then those must not be honored. Do other people have an opinion? In general it feels to me like redirects and non-GET requests cross site is a rare edge-case and not something that is particularly important. So we might as well do the safe thing. I could even see disallowing redirects entirely, even for the initial GET request. Best Regards, Jonas Sicking
Received on Monday, 23 July 2007 10:38:34 UTC